Yeah, but it was the vendor who fucked up, not them. One can argue that using long-term certificates is bad practice in itself, but that's arguable.